Dirt Jumper DDoS Toolkit Gets Security Evasion Functionality

An attack toolkit notorious for being a coveted weapon of political hacktivists and other cybercriminals has gotten new functionality that could enable it to slip a torrent of malicious packets past DDoS mitigation appliances.

The Dirt Jumper DDoS toolkit, called Drive, now has functionality to test network ports for the use of known techniques that sample traffic for malicious activity, according to Jason Jones, a research analyst at Arbor Networks. In an analysis of Dirt Jumper obtained by CRN that's expected to be released Tuesday, Jones said the latest version "raises the bar for DDoS malware." Jones, of the Arbor Security Engineering and Response Team, said the latest update to the toolkit is significant.

"We expect that this is just the first of many pieces of malware to attempt to incorporate these bypass techniques," Jones wrote in his analysis. "This is one ... the first pieces of DDoS malware that ASERT has seen actively attempt to defeat known mitigation techniques."

The new "Smart Attack" functionality sends out an attack packet that looks for the cookie value or location data set by DDoS mitigation techniques and uses a technique in the next packet it sends to try to slip past the sensors as legitimate traffic. Jones said the attack has been seen in one sample, but he said it would likely become more common.

The attackers built in two other techniques. A "long attack" attempts to keep a network socket open for an extended period to flood as much data as it can into the pipeline. A "byte attack" and an ICMP attack allow for sending smaller payloads.

Dirt Jumper Drive also has a strong internal engine that attempts to contact more than a dozen command-and-control servers once a system is infected, according to Jones.

The Dirt Jumper toolkit is believed to originate from Russia. It has been publicly available in underground hacking forums and used since 2009. In previous attacks observed by Arbor Networks, cybercriminals launched DDoS campaigns against a large corporation's load balancer and a Russian electronic trading platform.

Malware authors have been busy making improvements to Dirt Jumper over the years and recently boosted the malware's internal engine and made improvements in how its command-and-control servers respond to analysts trying to probe them, said Richard Henderson, a security strategist at Fortinet's FortiGuard Threat Research and Response Labs. Henderson told CRN that up until now, Dirt Jumper has been easy to detect, but the problem with Dirt Jumper is not preventing a bot from infecting the corporate network, but preventing already infected bots outside the network from attacking online assets.

"I think this is likely the initial or testing stages of a premium DDoS attack kit that will be sold to a very small number of buyers," Henderson said. "We've seen with some premium exploit kits in the past year; there continues to be a very good market out there for people willing to pay incredible amounts of money for tailor-made and exclusive kits."

Dirt Jumper has been seen targeting banks and other financial institutions. A report issued by Dell SecureWorks connected the Dirt Jumper attack toolkit to a series of unauthorized wire transfers and noted that it may have drained at least one account of more than $2 million.

Attackers are using a technique to test the effectiveness of Dirt Jumper against the bank's IT teams. Security researchers and law enforcement have observed short-lived burst of traffic from Dirt Jumper and, if effective, a full attack carried out, followed by an unauthorized wire or Automated Clearing House (ACH) transfer out of a compromised account, according to Dell SecureWorks.

Attacks have resulted in money being funneled to banks in Russia, Cyprus and China. In these cases, attackers then launder the funds at various locations, including two known locations in Eastern Europe, Dell SecureWorks said.